Release Builds

Task enclaves need to be built and signed in special ways to be used in a production environment. When you want to use Sharemind HI in production, we will share the necessary additional build environment and instructions with you. This page provides a high-level overview.

Task enclaves should be build in a reproducible way, so source code auditors and task enclave developers produce the same task enclave binaries, with the same MRENCLAVE value.

Make sure to point your task enclave project to the production Sharemind HI release. In the standard template this is done through the sharemind-hi_ROOT CMake variable in the config.local file. Then, if you set you SGX_MODE or CMAKE_BUILD_MODE manually, make sure they have the values HW and Release, respectively. Then you can build your packages as usual.

Right now, the Sharemind HI SDK only supports the two-phase signing process (Intel® SGX Developer Reference, p 22). Hence, in the release mode cpack will only create packages with the unsigned enclaves, which you can then separately sign with your production enclave signing key.

The Sharemind HI Server is distributed via the Sharemind APT repository. You don’t need to follow this way when deploying production task enclaves to the target machine.